Replace DTLS r_epoch with the read epoch from the TLSv1.2 record layer.

ok inoguchi@ tb@
author: jsing <> 2021-08-30 19:12:25 +0000
committer: jsing <> 2021-08-30 19:12:25 +0000
commit: cedbde20c0ecfb870c00ce4fe4401f89a9397b6d (patch)
tree: 2d39ac8fc8532fdfcf26841981b52bd4c01b1e0f /src
parent: abf6f6607dda2d28fb254cd45e519fec1091fc0d (diff)
download: openbsd-cedbde20c0ecfb870c00ce4fe4401f89a9397b6d.tar.gz
openbsd-cedbde20c0ecfb870c00ce4fe4401f89a9397b6d.tar.bz2
openbsd-cedbde20c0ecfb870c00ce4fe4401f89a9397b6d.zip
5 files changed, 26 insertions, 27 deletions
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index 3db5629e23..d4280a277c 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.58 2021/07/21 08:42:14 jsing Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.59 2021/08/30 19:12:25 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -191,10 +191,8 @@ dtls1_clear(SSL *s)
                memset(s->d1, 0, sizeof(*s->d1));
                s->d1->internal = internal;
-                D1I(s)->r_epoch =
+                D1I(s)->unprocessed_rcds.epoch =
-                    tls12_record_layer_initial_epoch(s->internal->rl);
+                    tls12_record_layer_read_epoch(s->internal->rl) + 1;
-                D1I(s)->unprocessed_rcds.epoch = D1I(s)->r_epoch + 1;
                if (s->server) {
                        D1I(s)->cookie_len = sizeof(D1I(s)->cookie);
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 6963e58ed3..4f0678f0b8 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.105 2021/07/31 09:31:04 jsing Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.106 2021/08/30 19:12:25 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -273,12 +273,14 @@ static int
 dtls1_process_buffered_record(SSL *s)
 {
        /* Check if epoch is current. */
-        if (D1I(s)->unprocessed_rcds.epoch != D1I(s)->r_epoch)
+        if (D1I(s)->unprocessed_rcds.epoch !=
+            tls12_record_layer_read_epoch(s->internal->rl))
                return (0);
        /* Update epoch once all unprocessed records have been processed. */
        if (pqueue_peek(D1I(s)->unprocessed_rcds.q) == NULL) {
-                D1I(s)->unprocessed_rcds.epoch = D1I(s)->r_epoch + 1;
+                D1I(s)->unprocessed_rcds.epoch =
+                    tls12_record_layer_read_epoch(s->internal->rl) + 1;
                return (0);
        }
@@ -858,7 +860,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                /* this may just be a stale retransmit */
                if (!dtls1_get_message_header(rr->data, &msg_hdr))
                        return -1;
-                if (rr->epoch != D1I(s)->r_epoch) {
+                if (rr->epoch != tls12_record_layer_read_epoch(s->internal->rl)) {
                        rr->length = 0;
                        goto start;
                }
@@ -1136,17 +1138,20 @@ dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap,
 static DTLS1_BITMAP *
 dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch)
 {
-        uint16_t next_epoch = D1I(s)->r_epoch + 1;
+        uint16_t read_epoch, read_epoch_next;
        *is_next_epoch = 0;
+        read_epoch = tls12_record_layer_read_epoch(s->internal->rl);
+        read_epoch_next = read_epoch + 1;
        /* In current epoch, accept HM, CCS, DATA, & ALERT */
-        if (rr->epoch == D1I(s)->r_epoch)
+        if (rr->epoch == read_epoch)
                return &D1I(s)->bitmap;
        /* Only HM and ALERT messages can be from the next epoch */
-        else if (rr->epoch == next_epoch &&
+        if (rr->epoch == read_epoch_next &&
-                (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
+            (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
                *is_next_epoch = 1;
                return &D1I(s)->next_bitmap;
        }
@@ -1157,7 +1162,6 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch)
 void
 dtls1_reset_read_seq_numbers(SSL *s)
 {
-        D1I(s)->r_epoch++;
        memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap), sizeof(DTLS1_BITMAP));
        memset(&(D1I(s)->next_bitmap), 0, sizeof(DTLS1_BITMAP));
 }
diff --git a/src/lib/libssl/dtls_locl.h b/src/lib/libssl/dtls_locl.h
index 97f05b26bd..83fb9e0e10 100644
--- a/src/lib/libssl/dtls_locl.h
+++ b/src/lib/libssl/dtls_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dtls_locl.h,v 1.4 2021/07/26 03:17:38 jsing Exp $ */
+/* $OpenBSD: dtls_locl.h,v 1.5 2021/08/30 19:12:25 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -132,13 +132,6 @@ typedef struct dtls1_state_internal_st {
        unsigned char rcvd_cookie[DTLS1_COOKIE_LENGTH];
        unsigned int cookie_len;
-        /*
-         * The current data and handshake epoch.  This is initially
-         * undefined, and starts at zero once the initial handshake is
-         * completed
-         */
-        unsigned short r_epoch;
        /* records being received in the current epoch */
        DTLS1_BITMAP bitmap;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index f3650f238e..d25ac1a1a6 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.356 2021/07/26 03:17:38 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.357 2021/08/30 19:12:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -641,7 +641,7 @@ void tls12_record_layer_set_version(struct tls12_record_layer *rl,
    uint16_t version);
 void tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl,
    uint16_t epoch);
-uint16_t tls12_record_layer_initial_epoch(struct tls12_record_layer *rl);
+uint16_t tls12_record_layer_read_epoch(struct tls12_record_layer *rl);
 uint16_t tls12_record_layer_write_epoch(struct tls12_record_layer *rl);
 int tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl,
    uint16_t epoch);
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
index f59364bb67..6d7d8696eb 100644
--- a/src/lib/libssl/tls12_record_layer.c
+++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls12_record_layer.c,v 1.33 2021/08/30 19:00:49 jsing Exp $ */
+/* $OpenBSD: tls12_record_layer.c,v 1.34 2021/08/30 19:12:25 jsing Exp $ */
 /*
 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
 *
@@ -296,9 +296,9 @@ tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl,
 }
 uint16_t
-tls12_record_layer_initial_epoch(struct tls12_record_layer *rl)
+tls12_record_layer_read_epoch(struct tls12_record_layer *rl)
 {
-        return rl->initial_epoch;
+        return rl->read->epoch;
 }
 uint16_t
@@ -580,6 +580,10 @@ tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
        /* Read sequence number gets reset to zero. */
+        /* DTLS epoch is incremented and is permitted to wrap. */
+        if (rl->dtls)
+                read_new->epoch = rl->read_current->epoch + 1;
        if (!tls12_record_layer_change_cipher_state(rl, read_new, 0,
            mac_key, key, iv))
                goto err;
author	jsing <>	2021-08-30 19:12:25 +0000
committer	jsing <>	2021-08-30 19:12:25 +0000
commit	cedbde20c0ecfb870c00ce4fe4401f89a9397b6d (patch)
tree	2d39ac8fc8532fdfcf26841981b52bd4c01b1e0f /src
parent	abf6f6607dda2d28fb254cd45e519fec1091fc0d (diff)
download	openbsd-cedbde20c0ecfb870c00ce4fe4401f89a9397b6d.tar.gz openbsd-cedbde20c0ecfb870c00ce4fe4401f89a9397b6d.tar.bz2 openbsd-cedbde20c0ecfb870c00ce4fe4401f89a9397b6d.zip